[
https://issues.apache.org/jira/browse/DERBY-6631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14109435#comment-14109435
]
Dag H. Wanvik commented on DERBY-6631:
--------------------------------------
Patch 1b looks good to me. +1
> FileMonitor can be used to elevate an application's privileges
> --------------------------------------------------------------
>
> Key: DERBY-6631
> URL: https://issues.apache.org/jira/browse/DERBY-6631
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: d6631-1a-setThreadPriority.diff,
> d6631-1b-setThreadPriority.diff
>
>
> Various vulnerabilities in FileMonitor allow applications to perform
> security-sensitive operations with the elevated privileges granted to Derby:
> getDaemonThread() - The application can call this method in order to create
> threads, using Derby's elevated privileges.
> getJVMProperty() - The application can call this in order to read system
> properties using Derby's elevated privileges.
> setThreadPriority() - The application can call this method to change the
> priority of a daemon thread it has created. This call will execute with
> Derby's elevated privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
